This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/address-policy-wg@ripe.net/
[address-policy-wg] the implications of RPKI certificate revokation
- Previous message (by thread): [address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
- Next message (by thread): [address-policy-wg] the implications of RPKI certificate revokation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jim Reid
jim at rfc1035.com
Thu May 5 09:45:04 CEST 2011
On 4 May 2011, at 17:24, Brian Nisbet wrote: > You seem to be imagining a scenario where a national governement > would just ring up the NCC and say, "revoke these certs." I have > seen no evidence to suggest this risk is anything close to real. I suppose this depends on the definition of "real" and "evidence" Brian. If the NCC gets told to revoke a cert -- eg via a Dutch court order or equivalent -- it will have to do that. It would be sensible to assume that well-funded and/or litigious organisations might well be minded to pursue that avenue if they think getting a cert revoked will either disrupt or shut down some activities they dislike. Or bury their opponents in legal costs before it gets to the point where a court order gets issued. Certificates for routing will provide another vector for these sorts of layer-9 and up attacks. IMO it's foolish to assume or pretend otherwise. There are parallels with existing "control" mechanisms that governments and others use to restrict access to illegal content (for some definition of illegal content). If another control mechanism is made available, it will be used: that's the nature of the beast. [In this context RPKI has that control property as a side-effect.] Assuming that it won't or suggesting there's no real risk is just not credible, sorry. And from a practical perspective, is there really a material difference between a blacklist of naughty IP address blocks (commonly used today) and address blocks that have revoked certs (probably commonly used tomorrow) as control mechanisms? Personally, I'm not too fussed by this. The bad guys are not likely to be forming an orderly queue to get their certs from the NCC. And I think/hope the Dutch courts would take a robust view when governments or the Scientologists come looking for a court order. But in the final analysis, I struggle to see how an RPKI cert revocation would be any different from adding a prefix to the "official" blacklist that ISPs are encouraged to implement today. PS: Apologies for changing the Subject: header to something meaningful.
- Previous message (by thread): [address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
- Next message (by thread): [address-policy-wg] the implications of RPKI certificate revokation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]